<- Back<- Back<- Back

Cybersecurity for Construction Companies

Chris Adams
March 3, 2023

The internet of things has affected everyone. People have more internet-connected devices than ever, which also applies to businesses. Construction companies are likely not the first business that you think of when it comes to cybersecurity incidents. Still, according to an analysis by NordLocker, construction firms are now the number one target for ransomware attacks. There are several reasons why experts must focus on cybersecurity for construction companies across the board.

Why You Should Worry

Payroll, job site access control, asset management, drones, and even wearable tech use internet connections. IP surveillance cameras are another staple in access control that can easily be compromised. Even if the enterprise's risk management team appropriately manages cybersecurity risks, the construction industry's reliance on subcontractors is a significant risk factor as their cybersecurity may be lacking. That's before even thinking of more nefarious purposes.

Construction firms, architects, and engineers use building information modeling (BIM) to manage projects worldwide in real-time using the cloud. Suppliers use automated systems to delineate proper component measurements in everything from concrete to magnesite flooring, and testing is similarly done via automation on these same materials afterward. Cyber attacks targeting systems like those could severely impact critical infrastructure and other major construction projects, making them an attractive target for hostile nation-states or terrorist organizations. Cybersecurity for construction companies should be a priority for everyone in the industry for these reasons and more.

Threat actors may target construction companies for their notoriously lax data security procedures. Construction firms up and down the supply chain must secure themselves against cyber incidents and mitigate their cybersecurity risks. Failure to do so can result in civil liability, regulatory fines, reputational damage, and more that cyber insurance alone is unlikely to cover.

As someone hiring these contractors, you may end up having your own information compromised or that of your residents or customers. Breaches due to the failures of a third-party vendor can result in some of the same penalties and liabilities for commercial entities that we listed above if it can be shown that due diligence was not taken in vetting the contractor and monitoring their performance.

Notable Incidents

As mentioned earlier, ransomware is a major threat to the construction industry, but attackers also target financial data and sensitive customer information. In December 2021, a California-based concrete manufacturer reported a data breach where a third party accessed their control systems and files. Two months later, another major cyber incident led to a data security breach within an oil and natural gas provider headquartered in Oklahoma City.

What Happens in a Cyber Attack?

Cybersecurity for construction companies must be approached like any other specialty field. You can harden your defenses effectively by knowing where the likely attack vector will be. There are several frequent threat areas that experts have seen cybercriminals dial in on within the construction industry.


Whether direct use of ransomware occurs or not, bad actors can demand ransom from the victim enterprise to avoid the release of internal documents, intellectual property, financial records, customer lists, customer financial data, or virtually any information that the organization would likely not wish to become public. These direct ransom demands won't be the only cost of the cyber incident as incident response personnel will need to isolate where the breach occurred, what was compromised, ensure that the third party is excluded from the network, and prevent a similar incident from occurring again.

In a traditional ransomware attack, the victim's entire file system is encrypted, and the attackers hold the information hostage pending payment, at which time they may provide a decryption key. Unfortunately, that does not necessarily mean they will decrypt the data or leave the system intact.


Instead of a direct demand for payment, attackers zeroing in on the construction industry frequently focus on receiving funds through fraudulent wire transfers. This can be accomplished in several ways, such as phishing, business email compromise, or a spoofed email domain, but the result is the same. Attackers trick personnel into completing a fraudulent wire transfer or initiating one through stolen or compromised login credentials.

The money is then laundered through a series of intermediary accounts, making the funds exceedingly difficult to trace and recover. Even if the end location of the funds is eventually determined, it is commonly in a location where recovery is difficult or impossible to accomplish. The best way to secure your funds is to prevent unauthorized access in the first place.

Intellectual Property Theft

Yet another common tactic of cyber attackers targeting the construction industry is intellectual property theft. We mentioned the use of IP for ransom above. Still, some cybercriminals target IP for the sole purpose of reselling it to competitors or through direct corporate espionage tactics to use the obtained IP themselves. The latter is more common in countries where the government is unlikely to allow foreign entities to pursue claims against corporations within their borders.

Cyber Incident Response

After a data breach, incident response personnel have the gargantuan task of investigating the cyber attack. Finding the exploited vulnerability used to gain access is just the first task. Investigators must determine the attacker's access level to the system, what changes they made or data they accessed, and whether or not the information was exfiltrated from the network. Working downstream, investigators may find further information that this breach resulted in the compromise of other connected enterprises, whether they're clients or vendors themselves.

Cybersecurity Incident Prevention

Three of the most effective ways to mitigate cybersecurity risks are to enable multifactor authentication on all systems, regularly backup data, and install aftermarket commercial antivirus and anti-malware software on all network computers. Relying on factory settings and programs will almost always fall short. Regularly backing up data helps to lessen the blow of a potential ransomware attack, and multifactor authentication is required for nearly all cyber insurance policies. Now, we'll explain why cyber insurance is a critical component of cybersecurity for construction companies in particular.

Cyber Insurance

In today's day and age, cyber insurance is a must for any organization with an online footprint. You must ask potential vendors about their cybersecurity posture and verify that appropriate risk mitigation procedures are in place. If those controls need to be improved, you can always request that the vendor include your enterprise as an additional insured on their cybersecurity insurance policy. This is particularly interesting if your relationship will be long-term or entail a fair amount of access to sensitive data.

At West Coast Deck Waterproofing, we are one of Southern California's premier deck waterproofing contractors. We provide many services, including deck waterproofing, below grade waterproofing, decorative concrete finishes, pool deck resurfacing, and more. Whether you are looking for work done on a single family home, a large commercial property, or even a homeowner's association, no job is too big or too small. We also offer free estimates and a price match guarantee. Contact us today for a free quote for your project.